The malware GhostClaw steals developers' encrypted wallet data via an npm package.

CoinFeed reported on March 23 that, according to Cryptopolitan, a new malware called GhostClaw is targeting crypto wallets on macOS devices. This malware, disguised as the legitimate OpenClaw CLI tool, existed in the npm registry for a week, infecting 178 developers before being removed on March 10. Once a developer runs the "npm install" command, a hidden script globally installs the GhostClaw package, evading detection through obfuscated configuration files. GhostClaw scans the clipboard every three seconds, capturing private keys, mnemonic phrases, public keys, and other crypto wallet and transaction-related data.